CVE List - 2019 / September
Showing 201 - 300 of 1531 CVEs for September 2019 (Page 3 of 16)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-16100 | 2019-09-08 | Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows remote attackers to trigger a web-interface outage via slow client-side HTTP traffic from a single source. |
| CVE-2019-16099 | 2019-09-08 | Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows CSRF via JSON data to a .swf file. |
| CVE-2019-16109 | 2019-09-08 | An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the... |
| CVE-2019-16113 | 2019-09-08 | Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to... |
| CVE-2019-16115 | 2019-09-08 | In Xpdf 4.01.01, a stack-based buffer under-read could be triggered in IdentityFunction::transform in Function.cc, used by GfxAxialShading::getColor. It can, for example, be triggered by sending a crafted PDF document to... |
| CVE-2019-16120 | 2019-09-08 | CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature. |
| CVE-2019-16119 | 2019-09-08 | SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter. |
| CVE-2019-16118 | 2019-09-08 | Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php. |
| CVE-2019-16117 | 2019-09-08 | Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php. |
| CVE-2019-16140 | 2019-09-09 | An issue was discovered in the chttp crate before 0.1.3 for Rust. There is a use-after-free during buffer conversion. |
| CVE-2019-16167 | 2019-09-09 | sysstat before 12.1.6 has memory corruption due to an Integer Overflow in remap_struct() in sa_common.c. |
| CVE-2019-16123 | 2019-09-09 | In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File Disclosure. |
| CVE-2019-16126 | 2019-09-09 | Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images. |
| CVE-2019-16125 | 2019-09-09 | In Jobberbase 2.0, the parameter category is not sanitized in public/page_subscribe.php, leading to /subscribe SQL injection. |
| CVE-2019-16124 | 2019-09-09 | In YouPHPTube 7.4, the file install/checkConfiguration.php has no access control, which leads to everyone being able to edit the configuration file, and insert malicious PHP code. |
| CVE-2019-16133 | 2019-09-09 | An issue was discovered in eteams OA v4.0.34. Because the session is not strictly checked, the account names and passwords of all employees in the company can be obtained by... |
| CVE-2019-16132 | 2019-09-09 | An issue was discovered in OKLite v1.2.25. framework/admin/tpl_control.php allows remote attackers to delete arbitrary files via a title directory-traversal pathname followed by a crafted substring. |
| CVE-2019-16131 | 2019-09-09 | framework/admin/modulec_control.php in OKLite v1.2.25 has an Arbitrary File Upload Vulnerability because a .php file from a ZIP archive can be written to /data/cache/. |
| CVE-2019-16130 | 2019-09-09 | YII2-CMS v1.0 has XSS in protected\core\modules\home\models\Contact.php via a name field to /contact.html. |
| CVE-2019-16137 | 2019-09-09 | An issue was discovered in the spin crate before 0.5.2 for Rust, when RwLock is used. Because memory ordering is mishandled, two writers can acquire the lock at the same... |
| CVE-2019-16138 | 2019-09-09 | An issue was discovered in the image crate before 0.21.3 for Rust, affecting the HDR image format decoder. Vec::set_len is called on an uninitialized vector, leading to a use-after-free and... |
| CVE-2019-16139 | 2019-09-09 | An issue was discovered in the compact_arena crate before 0.4.0 for Rust. Generativity is mishandled, leading to an out-of-bounds write or read. |
| CVE-2019-16141 | 2019-09-09 | An issue was discovered in the once_cell crate before 1.0.1 for Rust. There is a panic during initialization of Lazy. |
| CVE-2019-16142 | 2019-09-09 | An issue was discovered in the renderdoc crate before 0.5.0 for Rust. Multiple exposed methods take self by immutable reference, which is incompatible with a multi-threaded application. |
| CVE-2019-16143 | 2019-09-09 | An issue was discovered in the blake2 crate before 0.8.1 for Rust. The BLAKE2b and BLAKE2s algorithms, when used with HMAC, produce incorrect results because the block sizes are half... |
| CVE-2019-16144 | 2019-09-09 | An issue was discovered in the generator crate before 0.6.18 for Rust. Uninitialized memory is used by Scope, done, and yield_ during API calls. |
| CVE-2018-21011 | 2019-09-09 | The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation details. |
| CVE-2018-21012 | 2019-09-09 | The cf7-invisible-recaptcha plugin before 1.3.2 for WordPress has XSS. |
| CVE-2018-21013 | 2019-09-09 | The Swape theme before 1.2.1 for WordPress has incorrect access control, as demonstrated by allowing new administrator accounts via vectors involving xmlPath to wp-admin/admin-ajax.php. |
| CVE-2018-21014 | 2019-09-09 | The buddyboss-media plugin through 3.2.3 for WordPress has stored XSS. |
| CVE-2019-16146 | 2019-09-09 | Gophish through 0.8.0 allows XSS via a username. |
| CVE-2019-16114 | 2019-09-09 | In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he... |
| CVE-2019-16148 | 2019-09-09 | Sakai through 12.6 allows XSS via a chat user name. |
| CVE-2019-10669 | 2019-09-09 | An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not... |
| CVE-2019-15639 | 2019-09-09 | main/translate.c in Sangoma Asterisk 13.28.0 and 16.5.0 allows a remote attacker to send a specific RTP packet during a call and cause a crash in a specific scenario. |
| CVE-2019-15895 | 2019-09-09 | search-exclude.php in the "Search Exclude" plugin before 1.2.4 for WordPress allows unauthenticated options changes. |
| CVE-2019-10665 | 2019-09-09 | An issue was discovered in LibreNMS through 1.47. The scripts that handle the graphing options (html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input.... |
| CVE-2019-10666 | 2019-09-09 | An issue was discovered in LibreNMS through 1.47. Several of the scripts perform dynamic script inclusion via the include() function on user supplied input without sanitizing the values by calling... |
| CVE-2019-10667 | 2019-09-09 | An issue was discovered in LibreNMS through 1.47. Information disclosure can occur: an attacker can fingerprint the exact code version installed and disclose local file paths. |
| CVE-2019-10668 | 2019-09-09 | An issue was discovered in LibreNMS through 1.47. A number of scripts import the Authentication libraries, but do not enforce an actual authentication check. Several of these scripts disclose information... |
| CVE-2019-10671 | 2019-09-09 | An issue was discovered in LibreNMS through 1.47. It does not parameterize all user supplied input within database queries, resulting in SQL injection. An authenticated attacker can subvert these database... |
| CVE-2019-12463 | 2019-09-09 | An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters... |
| CVE-2019-12464 | 2019-09-09 | An issue was discovered in LibreNMS 1.50.1. An authenticated user can perform a directory traversal attack against the /pdf.php file with a partial filename in the report parameter, to cause... |
| CVE-2019-12465 | 2019-09-09 | An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was identified in the ajax_rulesuggest.php file where the term parameter is used insecurely in a database query for showing... |
| CVE-2019-10670 | 2019-09-09 | An issue was discovered in LibreNMS through 1.47. Many of the scripts rely on the function mysqli_escape_real_string for filtering data. However, this is particularly ineffective when returning user supplied input... |
| CVE-2019-16159 | 2019-09-09 | BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 has a stack-based buffer overflow. The BGP daemon's support for RFC 8203 administrative shutdown communication messages included an incorrect... |
| CVE-2019-16166 | 2019-09-09 | GNU cflow through 1.6 has a heap-based buffer over-read in the nexttoken function in parser.c. |
| CVE-2019-16165 | 2019-09-09 | GNU cflow through 1.6 has a use-after-free in the reference function in parser.c. |
| CVE-2019-16164 | 2019-09-09 | MyHTML through 4.0.5 has a NULL pointer dereference in myhtml_tree_node_remove in tree.c. |
| CVE-2019-16163 | 2019-09-09 | Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c. |
| CVE-2019-16162 | 2019-09-09 | Onigmo through 6.2.0 has an out-of-bounds read in parse_char_class because of missing codepoint validation in regenc.c. |
| CVE-2019-16161 | 2019-09-09 | Onigmo through 6.2.0 has a NULL pointer dereference in onig_error_code_to_str because of fetch_token in regparse.c. |
| CVE-2019-16168 | 2019-09-09 | In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in... |
| CVE-2019-12405 | 2019-09-09 | Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user... |
| CVE-2019-5483 | 2019-09-09 | Seneca < 3.9.0 contains a vulnerability that could lead to exposing environment variables to unauthorized users. |
| CVE-2019-5461 | 2019-09-09 | An input validation problem was discovered in the GitHub service integration which could result in an attacker being able to make arbitrary POST requests in a GitLab instance's internal network.... |
| CVE-2019-5463 | 2019-09-09 | An authorization issue was discovered in the GitLab CE/EE CI badge images endpoint which could result in disclosure of the build status. This vulnerability was addressed in 12.1.2, 12.0.4, and... |
| CVE-2019-5467 | 2019-09-09 | An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4,... |
| CVE-2019-5471 | 2019-09-09 | An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS. This was addressed in GitLab 12.1.2, 12.0.4, and... |
| CVE-2019-5473 | 2019-09-09 | An authentication issue was discovered in GitLab that allowed a bypass of email verification. This was addressed in GitLab 12.1.2 and 12.0.4. |
| CVE-2019-11605 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition 11.8.x before 11.8.10, 11.9.x before 11.9.11, and 11.10.x before 11.10.3. It allows Information Disclosure. A small number of GitLab API... |
| CVE-2019-16173 | 2019-09-09 | LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php, |
| CVE-2019-16172 | 2019-09-09 | LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that... |
| CVE-2019-11544 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It allows Information Disclosure. Non-member users... |
| CVE-2019-11545 | 2019-09-09 | An issue was discovered in GitLab Community Edition 11.9.x before 11.9.10 and 11.10.x before 11.10.2. It allows Information Disclosure. When an issue is moved to a private project, the private... |
| CVE-2019-11546 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has a Race Condition which could allow users to approve... |
| CVE-2019-11547 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name... |
| CVE-2019-11548 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues... |
| CVE-2019-11549 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. Gitaly has allows an information disclosure issue... |
| CVE-2019-6782 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 1 of 6). An authorization issue... |
| CVE-2019-6783 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. GitLab Pages contains a directory traversal vulnerability that could lead to... |
| CVE-2019-6784 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows XSS (issue 1 of 2). Markdown fields contain a... |
| CVE-2019-6785 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Denial of Service. Inputting an overly long string into... |
| CVE-2019-6786 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 1 of 3). The contents... |
| CVE-2019-6788 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 3 of 6). For installations using... |
| CVE-2019-6789 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 4 of 6). In some cases,... |
| CVE-2019-6792 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Path Disclosure. When an error is encountered on project... |
| CVE-2019-6793 | 2019-09-09 | An issue was discovered in GitLab Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The Jira integration feature is vulnerable to an unauthenticated blind SSRF issue. |
| CVE-2019-6794 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 5 of 6). A project guest... |
| CVE-2019-6795 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Insufficient Visual Distinction of Homoglyphs Presented to a User.... |
| CVE-2019-6960 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Access to... |
| CVE-2019-6995 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Users... |
| CVE-2019-16190 | 2019-09-09 | SharePort Web Access on D-Link DIR-868L REVB through 2.03, DIR-885L REVA through 1.20, and DIR-895L REVA through 1.21 devices allows Authentication Bypass, as demonstrated by a direct request to folder_view.php... |
| CVE-2019-6996 | 2019-09-09 | An issue was discovered in GitLab Enterprise Edition 10.x (starting in 10.6) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. The merge... |
| CVE-2019-6997 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting in 10.7) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control.... |
| CVE-2019-7176 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting in 8.9), 9.x, 10.x, and 11.x before 11.5.9, 11.6.x before 11.6.7, and 11.7.x before 11.7.2. It has Incorrect... |
| CVE-2019-16187 | 2019-09-09 | Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script. |
| CVE-2019-16186 | 2019-09-09 | In Limesurvey before 3.17.14, admin users can access the plugin manager without proper permissions. |
| CVE-2019-6791 | 2019-09-09 | An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 3 of 3). When a... |
| CVE-2019-16185 | 2019-09-09 | In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper permissions. |
| CVE-2019-16184 | 2019-09-09 | A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file. |
| CVE-2019-16183 | 2019-09-09 | In Limesurvey before 3.17.14, admin users can run an integrity check without proper permissions. |
| CVE-2019-16182 | 2019-09-09 | A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files. |
| CVE-2019-16181 | 2019-09-09 | In Limesurvey before 3.17.14, admin users can mark other users' notifications as read. |
| CVE-2019-16180 | 2019-09-09 | Limesurvey before 3.17.14 allows remote attackers to bruteforce the login form and enumerate usernames when the LDAP authentication method is used. |
| CVE-2019-16179 | 2019-09-09 | Limesurvey before 3.17.14 does not enforce SSL/TLS usage in the default configuration. |
| CVE-2019-16178 | 2019-09-09 | A stored cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows authenticated users with correct permissions to inject arbitrary web script or HTML via titles of admin... |
| CVE-2019-16192 | 2019-09-09 | upload_model() in /admini/controllers/system/managemodel.php in DocCms 2016.5.17 allow remote attackers to execute arbitrary PHP code through module management files, as demonstrated by a .php file in a ZIP archive. |
| CVE-2019-16177 | 2019-09-09 | In Limesurvey before 3.17.14, the entire database is exposed through browser caching. |
| CVE-2019-16176 | 2019-09-09 | A path disclosure vulnerability was found in Limesurvey before 3.17.14 that allows a remote attacker to discover the path to the application in the filesystem. |